Your go-to hub for Expert Insights,
Publications, and Resources
on
data privacy and compliance

Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.

Last Updated: 2026-07-16 ~ DPDP Consultants

Cookies Under DPDPA: What Websites Must Change by 2027

Cookies Under DPDPA compliance guide for Indian websites before May 2027 deadline

Chapter 1: Introduction

Every time a user visits a website in India, dozens of cookies are placed on their browser. Some keep the session alive. Some remember language preferences. Others track every page the user visits, build a behavioral profile, and share that profile with advertising networks across the internet. Until now, most Indian websites have treated cookies as an invisible backend function, deploying them silently without informing users or seeking their consent.

The Digital Personal Data Protection Act, 2023 (DPDPA), changes this entirely. Under the Act, any data that identifies or is capable of identifying an individual is personal data. Cookies that store user IDs, track browsing behavior, record IP addresses, or create unique identifiers for advertising purposes fall squarely within this definition. When a website places such cookies on a user's browser without informed consent, it is processing personal data in violation of the law.

The compliance deadline is May 2027. By that date, every website that serves Indian users must have a DPDPA-compliant cookie consent mechanism in place. This is not a minor technical update. It requires auditing every cookie on the website, classifying them by purpose, redesigning consent banners, updating privacy policies, building consent withdrawal mechanisms, and maintaining records that prove compliance.

This guide provides a plain-language, practical breakdown of what the DPDPA means for website cookies, what changes every website must make, and how to implement compliant cookie consent management before the deadline.


Chapter 2: Are Cookies Personal Data Under the DPDPA?

The DPDPA defines personal data as any data about an individual who is identifiable by or in relation to such data.

Cookies That Are Personal Data

        Unique Identifiers: Cookies that assign a unique ID to a user (such as Google Analytics _ga cookies, Facebook _fbp cookies, or any session ID tied to a logged-in account) create an identifier that can be linked back to a specific individual. This is personal data.

        Behavioral Tracking: Cookies that track which pages a user visits, how long they spend on each page, what they click, what they add to a cart, or what they search for, create a behavioral profile. When this profile is linked to a device, an IP address, or a user account, it becomes personal data.

        Cross-Site Tracking: Third-party advertising cookies (such as those placed by Google Ads, Meta Pixel, or programmatic advertising platforms) track users across multiple websites, building detailed profiles that can include interests, purchasing intent, location history, and demographic inferences. This data is personal data under the DPDPA.

        Authentication and Session Cookies: Cookies that maintain a logged-in session are directly tied to a user account and are therefore personal data. However, these fall under legitimate use provisions when they are strictly necessary for providing the service.

Cookies That May Not Be Personal Data

Strictly necessary cookies that perform a purely technical function without identifying the user, such as load balancing cookies, CSRF tokens, or cookies that remember whether a cookie consent banner has been dismissed, may not constitute personal data if they do not create or use any identifier linked to an individual. However, the burden of proving that a cookie does not process personal data falls on the Data Fiduciary, not the user.


Chapter 3: Types of Cookies and Their DPDPA Classification

Not all cookies are created equal. Understanding the four main categories of cookies and their compliance requirements under the DPDPA is essential for building a compliant consent mechanism.

1. Strictly Necessary Cookies

These cookies are essential for the website to function. They enable core features like page navigation, secure areas access, shopping cart functionality, and session management. Without them, the website cannot operate as intended. Under the DPDPA, strictly necessary cookies may be processed under the legitimate use provision without requiring explicit consent, because the user has voluntarily accessed the website and these cookies are necessary to provide the requested service. However, websites should still disclose these cookies in their privacy policy and cookie notice for transparency.

2. Functional Cookies

Functional cookies enhance the user experience by remembering preferences such as language selection, region, text size, or display settings. While they improve usability, they are not essential for the website to function. Under the DPDPA, functional cookies require explicit consent because they process personal data (user preferences linked to a browser or session) for a purpose beyond the core service delivery. Users must be given the choice to accept or reject these cookies without being denied access to the website.

3. Analytics Cookies

Analytics cookies collect data about how users interact with the website: which pages are visited, how long users spend on each page, bounce rates, traffic sources, and user flow. Tools like Google Analytics, Adobe Analytics, and Hotjar use these cookies extensively. Under the DPDPA, analytics cookies require explicit consent. They create unique identifiers, track behavior over time, and build profiles that constitute personal data. The fact that the data may be "anonymized" or "aggregated" at some point in the processing pipeline does not eliminate the consent requirement, because the initial collection involves personal data.

4. Advertising and Tracking Cookies

These are the most invasive category. Advertising cookies are placed by third-party ad networks (Google Ads, Meta, programmatic platforms) and track users across multiple websites to build interest profiles for targeted advertising. They enable retargeting (showing ads for products a user browsed on another site), cross-device tracking, and audience segmentation. Under the DPDPA, advertising and tracking cookies absolutely require explicit, informed, and granular consent. They process personal data for a purpose entirely separate from the service the user requested. Consent must be specific to this purpose, and the user must be able to reject these cookies while still accessing the website.


Chapter 4: What Is Wrong with Most Cookie Banners Today

Most Indian websites currently fail to meet DPDPA standards for cookie consent.

Common Violations

        Implied Consent: Many websites display a banner that says "By continuing to browse this site, you agree to our use of cookies." This is implied consent, and it does not meet the DPDPA's requirement of free, specific, informed, and unambiguous consent given through a clear affirmative action.

        No Granular Choice: Most banners offer only an "Accept All" or "OK" button. Users cannot choose which categories of cookies to accept and which to reject. The DPDPA requires purpose-specific consent, meaning users must be able to consent to necessary cookies while rejecting analytics or advertising cookies.

        Pre-Selected Options: Some websites present cookie preference panels where all categories are pre-selected (opt-out model). Under the DPDPA, consent must be opt-in. Non-essential cookies must be deselected by default, and the user must actively choose to enable them.

        Dark Patterns: Websites that make the "Accept All" button prominent and large while hiding the "Reject" or "Manage Preferences" option in small text or behind additional clicks are using dark patterns. The DPDPA requires that rejecting cookies be as easy as accepting them.

        No Withdrawal Mechanism: Most websites have no mechanism for users to change their cookie preferences after the initial banner interaction. The DPDPA requires that consent withdrawal be as easy as giving consent.

        Cookies Fired Before Consent: Many websites load analytics and advertising cookies immediately when the page loads, before the user has even seen the consent banner. Under the DPDPA, non-essential cookies must not be placed until the user has given affirmative consent.

 

Chapter 5: What a DPDPA-Compliant Cookie Banner Looks Like

A compliant cookie consent mechanism under the DPDPA must meet several specific requirements. Here is what every website needs to implement.

Clear and Prominent Notice

The cookie banner must clearly inform users that the website uses cookies, explain what cookies are used for in plain language, and describe the specific categories of cookies deployed. The notice must be available in English and, where the website serves users in specific regions, in the relevant regional languages listed in the Eighth Schedule of the Constitution.

Granular Consent Options

Users must be presented with a clear breakdown of cookie categories: strictly necessary (pre-enabled, not toggleable), functional, analytics, and advertising/tracking. Each non-essential category must be off by default (opt-in model). Users must be able to toggle each category individually. The banner should include three action buttons: "Accept All" (enables all categories), "Reject All" (disables all non-essential categories), and "Save Preferences" (applies the user's custom selection). All three buttons must be equally prominent, with no dark patterns making one option visually dominant.

No Cookies Before Consent

Non-essential cookies must not be placed on the user's browser until affirmative consent has been obtained. This requires implementing a consent-first architecture where analytics scripts, advertising pixels, and functional cookie scripts are blocked from loading until the user makes their selection. Only strictly necessary cookies may be loaded before consent.

Easy Withdrawal

The website must provide a persistent and easily accessible mechanism for users to revisit and change their cookie preferences at any time. This is typically implemented as a small floating icon (often a cookie or shield icon) or a link in the website footer labeled "Cookie Preferences" or "Manage Cookies." Withdrawing consent must be as simple as giving it: the same number of clicks, the same level of visibility.

Consent Records

The Data Fiduciary must maintain records of consent: when consent was given, what was consented to, the version of the consent notice presented, and when consent was withdrawn. These records serve as proof of compliance in case of a regulatory inquiry or complaint to the Data Protection Board.


Chapter 6: Step-by-Step Compliance Checklist

Achieving cookie compliance under the DPDPA requires a structured approach. The following checklist outlines the seven essential steps every website must complete before May 2027.



Step 1: Audit All Cookies

Conduct a complete audit of every cookie placed by your website. Use browser developer tools or automated scanning tools to identify all first-party and third-party cookies, their source scripts, their purpose, their expiration period, and whether they process personal data. This audit must cover all pages, not just the homepage.

Step 2: Classify Cookies by Type and Purpose

Categorize every cookie into one of the four categories: strictly necessary, functional, analytics, or advertising/tracking. Document the purpose of each cookie, the data it collects, the third parties it shares data with, and its retention period. This classification forms the foundation of your consent mechanism.

Step 3: Implement a Granular Consent Banner

Design and deploy a cookie consent banner that meets DPDPA requirements: clear notice, granular category-level toggles, opt-in defaults for non-essential cookies, equally prominent Accept All/Reject All/Save Preferences buttons, and no cookies fired before consent. Ensure the banner appears on every page for first-time visitors and is accessible for returning visitors to modify their preferences.

Step 4: Update Your Privacy Policy

Your privacy policy must include a detailed cookie section that lists all cookies used, their categories, their purposes, the third parties involved, and their retention periods. The policy must explain how users can manage their cookie preferences, withdraw consent, and exercise their rights under the DPDPA.

Step 5: Enable Consent Withdrawal

Implement a persistent, easily accessible mechanism for users to change their cookie preferences after the initial consent interaction. This can be a floating icon, a footer link, or a dedicated cookie preferences page. When a user withdraws consent for a cookie category, the corresponding cookies must be deleted and the associated scripts must stop loading.

Step 6: Maintain Consent Records

Build or deploy a system that records every consent interaction: the timestamp, the consent version, the categories consented to, and any subsequent modifications or withdrawals. These records are essential for demonstrating compliance during audits or regulatory inquiries.

Step 7: Deploy Automated Cookie Consent Management

Manual cookie management is not sustainable for websites with dozens of cookies, frequent updates, and millions of visitors. Automated Cookie Consent Management platforms handle the entire lifecycle: scanning for new cookies, classifying them, presenting compliant banners, blocking scripts before consent, recording consent, and managing withdrawals. This is the most effective way to ensure ongoing compliance as your website evolves.

 

Chapter 7: Impact on Key Industries

Cookie compliance affects every industry, but some sectors face unique challenges due to the nature of their websites, the volume of user traffic, and the types of cookies they deploy.

E-Commerce

E-commerce websites are among the heaviest users of cookies. They deploy session cookies for cart management, analytics cookies to track conversion funnels, retargeting cookies to bring back abandoned cart users, and affiliate tracking cookies to attribute sales. Under the DPDPA, the retargeting and advertising cookies that drive a significant portion of e-commerce revenue will require explicit consent. Websites must ensure that users can shop and checkout without being forced to accept non-essential cookies.

Media and Publishing

News websites, blogs, and digital publications rely heavily on advertising revenue, which depends on tracking cookies that build reader profiles for programmatic ad sales. The DPDPA will require these websites to obtain consent before loading ad-tech scripts. This may reduce the volume of targetable impressions, pushing publishers toward consent-or-pay models or contextual advertising strategies that do not rely on personal data.

Banking and Financial Services

Banks, NBFCs, insurance companies, and fintech platforms collect highly sensitive data through their websites. Analytics cookies that track how users interact with loan calculators, investment pages, or insurance quote forms can reveal financial intent and risk profile. Under the DPDPA, these cookies require consent, and the sensitivity of the inferred data raises the compliance stakes significantly.

Healthcare

Healthcare websites, telemedicine platforms, and pharmacy portals process data that can reveal health conditions and treatment interests. A user browsing pages about diabetes management or cancer treatment creates a health-related behavioral profile through analytics cookies. Under the DPDPA, processing this data without consent is a clear violation with heightened risk.

Government and Public Sector

Government websites serving citizens, such as tax portals, benefit platforms, and e-governance services, must also comply. While some processing may fall under the State's legitimate use provision, analytics and third-party cookies on government websites still require compliance. The government's own data protection obligations set the standard for the private sector.


Chapter 8: How DPDP Consultants Can Help

Cookie compliance is not a one-time fix. It is an ongoing operational requirement that must keep pace with website changes, new cookie deployments, and evolving regulations. DPDP Consultants provides end-to-end cookie compliance services as part of our broader DPDPA compliance program.

 

Cookie Notice Formulation
Beyond the technology, getting the cookie notice right is a legal and communication challenge. Our Cookie Notice Formulation consulting service helps organisations draft clear, legally compliant, and user-friendly cookie notices that meet DPDPA requirements while maintaining brand trust.

        Comprehensive review of all cookies deployed on your website and mapping each cookie to a specific, clearly stated processing purpose that satisfies DPDPA's informed consent requirement.

        Drafting of plain-language cookie notices that explain what data is collected, why it is collected, who it is shared with, and how long it is retained, written for real users rather than legal departments.

        Purpose-specific consent language tailored to each cookie category (functional, analytics, advertising) so that consent is genuinely informed and granular, not bundled into a single blanket statement.

        Alignment of cookie notices with your broader Privacy Policy and Terms of Use to ensure consistency across all user-facing disclosures and eliminate contradictions that regulators may flag.

        Periodic review and update of cookie notices whenever new cookies are added, third-party integrations change, or regulatory guidance evolves, ensuring your notice remains accurate and compliant at all times.

        Regional language adaptation of cookie notices into Hindi and other scheduled languages as required by the DPDPA, ensuring that users across India can understand what they are consenting to.

Cookie Consent Management Tool

Our automated Cookie Consent Management platform handles the complete cookie compliance lifecycle for your website.

        Automated scanning and detection of all cookies on your website, including new cookies added by script updates or third-party integrations.

        Automatic classification of cookies into compliant categories with human review and approval workflow.

        DPDPA-compliant consent banner with granular category-level toggles, opt-in defaults, and equally prominent Accept/Reject/Save buttons.

        Consent-first architecture that blocks non-essential scripts until the user provides affirmative consent.

        Persistent consent withdrawal mechanism accessible from every page.

        Comprehensive consent record keeping with timestamp, version, category, and modification history for audit readiness.

        Multi-language support for consent banners, covering English, Hindi, and regional languages.

Broader Compliance Support

Cookie consent is one piece of the DPDPA compliance puzzle. DPDP Consultants also provides DPDPA Gap Assessment, Privacy Framework Implementation, DPO as a Service, and the full suite of DPDPA Automation Tools including Data Principal Consent Management, Grievance Redressal, DPIA, Awareness Programs, and Third-Party Assessment.


Frequently Asked Questions (FAQs)

Q: Do all cookies require consent under the DPDPA?

A: No. Strictly necessary cookies that are essential for the website to function (session management, security tokens, load balancing) may be processed under the legitimate use provision without explicit consent. All other cookies, including functional, analytics, and advertising cookies, require informed, specific, and affirmative consent.

Q: Can I use a "cookie wall" that blocks access unless the user accepts all cookies?

A: No. A cookie wall that forces users to accept all cookies or leave the website does not constitute free consent under the DPDPA. Users must be able to access the website and its core functionality even if they reject non-essential cookies.

Q: Does Google Analytics require consent under the DPDPA?

A: Yes. Google Analytics uses cookies that create unique identifiers and track user behavior across sessions. This constitutes processing of personal data under the DPDPA, requiring explicit consent before the analytics script is loaded.

Q: What about cookies set by third-party widgets like social media share buttons?

A: If third-party widgets (Facebook Like buttons, Twitter embeds, YouTube video players) set cookies that track user behavior, those cookies require consent. The website operator is responsible for ensuring that third-party scripts do not place non-essential cookies before the user has consented.

Q: How often should I audit my website's cookies?

A: A comprehensive cookie audit should be conducted at least quarterly, and immediately after any significant website update, new feature launch, or third-party integration change. Automated cookie scanning tools can perform continuous monitoring to catch new cookies as they appear.

Q: What are the penalties for non-compliant cookie practices?

A: Under the DPDPA, failure to obtain valid consent for processing personal data can result in penalties of up to Rs 50 crore. If the non-compliant cookie practices contribute to a data breach, penalties can reach Rs 250 crore. Beyond financial penalties, non-compliance damages user trust and brand reputation.

Q: Is the DPDPA cookie requirement similar to GDPR's cookie rules?

A: The principles are similar: both require informed, specific, opt-in consent for non-essential cookies. However, the DPDPA has its own definitions, enforcement mechanisms, and penalty structure. Websites already compliant with GDPR cookie rules will find it easier to achieve DPDPA compliance, but should not assume automatic compliance.

Q: Can I use a Consent Manager to handle cookie consent?

A: Yes. The DPDPA introduces the concept of registered Consent Managers who act as intermediaries between Data Principals and Data Fiduciaries. Additionally, automated Cookie Consent Management platforms (like the one offered by DPDP Consultants) provide the technical infrastructure to implement compliant cookie banners, block scripts before consent, and maintain consent records.


Make Your Website DPDPA-Compliant Before May 2027

The cookie consent landscape in India is about to change permanently. Websites that continue with implied consent, pre-selected checkboxes, and dark pattern banners will face regulatory action, financial penalties, and loss of user trust. The time to act is now.

DPDP Consultants provides the expertise and technology to make your website's cookie practices fully compliant with the DPDPA. From initial cookie audits and classification to automated consent banner deployment and ongoing monitoring, we handle every step.

Contact us today:

        Website: www.dpdpconsultants.com

        Email: info@dpdpconsultants.com

Your cookie banner is the first privacy interaction your users have with your brand. Make it count.


 

Disclaimer: This document is prepared by DPDP Consultants for informational purposes only. It does not constitute legal advice and should not be relied upon as a substitute for professional legal counsel. The information contained herein is based on the Digital Personal Data Protection Act, 2023, and publicly available information about the DPDP Rules as of July 2026. Laws, regulations, and their interpretations may change. Readers should consult qualified legal professionals for advice specific to their circumstances. DPDP Consultants assumes no liability for any actions taken or not taken based on the contents of this document.